Hi All: Now I want to create a certificate chain by myself. It will looks like as below:
Server Certificate -> Intermediate CA -> Root CA. Now I am using openssl command to create these certificate files. # Create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt # Create Intermediate openssl genrsa -out intermediate.key 4096 openssl req -new -sha1 -key intermediate.key -out intermediate.csr # CA signs Intermediate openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt # Create Server openssl genrsa -out test.example.com.key 4096 openssl req -new -key test.example.com.key -out test.example.com.csr # Intermediate signs Server openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt Now I install ca.crt into WIndows7 local Trust Root Store. when I open test.example.com.crt file, I can see "Certificate chain" in "Certification Path". But I get 1 warning information on intermediate certificate "This certification authority is not allowed to issue certificates or cannot be used as an end-entity certificate." >From search, I think this is because intermediate certificate/key is not a correct intermediate CA that it can not sign "test.example.com.crt". Please kindly give me some suggestion about how to use openssl command to sign "test.example.com.crt" with intermediate CA. Thanks! -- Rejoice,I Desire! ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org